The goal of this
exercise is to learn how to use various Kerberos encryption algorithms
to secure the communication. In J2SE 1.4, Java GSS/Kerberos provided
support for only DES encryption type. The Java GSS/Kerberos provider
has been enhanced in J2SE 5.0 and later releases to support stronger
Kerberos encryption algorithms,
and is in compliance with latest Kerberos specification RFC4120.
Support for various Kerberos encryption types, such as AES256, AES128,
3DES, RC4-HMAC, and DES are now all available. J2SE 5.0 supports 3DES
and DES Kerberos encryption types. Support for AES and RC4-HMAC in
Kerberos is available for Java SE 6 onwards.
Here is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE 6.0:
src/krb5.conf
AES256-CTS encryption type[libdefaults]NOTE: Solaris 10 does not support
default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts
AES256 by default. You will need to install
the following packages:-SUNWcry, SUNWcryr, SUNWcryptointIn addition, JCE in Java SE also does not support
AES256 by default. AES128-CTS encryption type
[libdefaults]
default_tkt_enctypes = aes128-cts
default_tgs_enctypes = aes128-cts
permitted_enctypes = aes128-cts
RC4-HMAC
encryption type
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
  DES3-CBC-SHA1 encryption type
[libdefaults]
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
permitted_enctypes = des3-cbc-sha1DES-CBC-MD5 encryption type
[libdefaults]
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5DES-CBC-CRC encryption type
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc% kdestroy
 
      % xterm &
      % java
        -Djava.security.auth.login.config=jaas-krb5.conf \
        -Djava.security.krb5.conf=krb5.conf \
         GSSServer
  host
running on the machine j1hol-001, you would
enter the following. When prompted for the password, enter changeit.% java -Djava.security.auth.login.config=jaas-krb5.conf
-Djava.security.krb5.conf=krb5.conf \
GSSClient host j1hol-001
In this exercise, you learned how to
write a client-server application that uses Java GSS API to
authenticate and communicate securely with each other, using stronger
Kerberos encryption algorithms. You can enable Kerberos debugging
(-Dsun.security.krb5.debug=true), to obtain information about the
Kerberos encryption type used.